HackTheBox - Developer

00:00 - Intro 01:04 - Start of nmap 03:00 - Examining the web page, noticing every URL with admin gets redirected to a django login 05:00 - Creating an account and looking at the page to discover CTF Challenges 06:15 - CHALLENGE 1: Phished List, a protected excel spreadsheet. Remove protection to see hidden cells 11:50 - Submitting a writeup, discovering an old version of Firefox talks to us 14:00 - Checking for Tab Nabbing vulnerability and explaining it 17:30 - Creating a phishing page by mirroring the page with wget and then using PHP to log submitted credentials 29:30 - Phishing worked, got the admin's password. Login to Django to see another website (Sentry) 33:00 - Creating an error message in Sentry to get an error message, which contains a secret key used to encrypt the cookie 36:10 - Grabbing a django deserialization payload then installing django on python2 to use the payload 40:15 - Changing the payload in the exploit to a reverse shell, avoiding any bad characters for URL and getting a reverse shell 41:30 - Setting up the reverse shell in a way that works with ZSH, just need to do stty raw -echo; fg on one line 46:13 - Logging into Sentry Postgres Databae then enumerating tables and dumping the users table and cracking karl's password 52:25 - Discovering Karl can execute the authenticator binary with sudo, strings shows it is a rust binary. Copy it back to our box 56:55 - Examing the binary in Ghidra 58:55 - Discovering a call to Crypto::AES::CTR, using the rust docs to figure out what our variables are 1:01:22 - Showing that AES-CTR does not have defined block sizes 1:05:00 - Using GDB to help our analysis, showing how to setup break points around what our decompiler shows 1:10:36 - Examining memory to confirm our static analysis was correct 1:11:15 - Grabbing the encrypted blob the program is comparing against to get the password and getting root 1:15:40 - CHALLENGE 2: PSE, an dotnet binary that runs a uses PS2EXE to run powershell to encrypt a string